DBV Secure Application Roles

Oracle SARs are database roles that can be enabled only from within a PL/SQL program. The PL/SQL program will typically perform a series of checks to determine whether the conditions are correct for the role to be enabled. DBV provides an integration capability with Oracle SARs that allow you define these conditions using a DBV rule set.

To help illustrate how DBV Secure Application Roles work, consider the DBV Is System Maintenance Allowed rule set presented earlier in the chapter. This rule set allowed system maintenance routines on Fridays from 5 to 11 P.M. We can reuse this rule set to control the ability to set a role that has DELETE privileges on tables protected by the Sales History DBV realm for the purpose of archiving and deleting records that no longer need to be maintained in the table. Privileges that allow for the update or deletion of data are typically considered security-sensitive operations and are perfect candidates for DBV SARs.